Privacy Policy & transparency
Processing activities, legal bases, retention periods, and sub-processors are documented in our Privacy Policy.
View Privacy Policy βGDPR compliance.Built in, not bolted on.
mypinio is designed for organizations that handle personal data responsibly. Full GDPR compliance, self-service data subject rights, automated deletion, and transparent sub-processor management β by design, not as an afterthought.
GDPR CompliantEU Data ResidencySelf-Service RightsFull Audit TrailAutomated Deletion
DATA SUBJECT RIGHTS
Your users' rights, built into the platform.
Right of access
Users can view and export all their personal data through our self-service GDPR center. JSON export with single-use download link, encrypted storage, 48-hour availability.
Right to erasure
Two deletion options: immediate or with a 14-day grace period. All workspace data, sessions, AI usage, and authentication data are permanently removed. Deletion records retained as legal proof.
Data portability
Complete data export in machine-readable JSON format. Includes profile data, memberships, sessions, survey metadata, notifications, and audit logs. One export per 24 hours, server-side streamed.
Right to rectification
Users can update their profile data directly in account settings. No support ticket needed β immediate self-service correction of personal information.
Right to restriction
Users can request processing restrictions at any time. Session revocation available through the GDPR center β revoke all other active sessions with one click.
Right to object
Users can object to processing based on legitimate interests at any time. Cookie consent can be withdrawn instantly via the cookie banner or platform settings.
IMPLEMENTATION
GDPR compliance at every layer.
Cookie consent management
Four-category consent system (necessary, analytics, marketing, preferences). Non-essential cookies disabled by default. No Google Analytics, no Meta Pixel, no third-party tracking. Consent revocable at any time.
PII encryption
Personal data fields encrypted at rest. API keys stored as SHA-256 hashes only. Community passwords hashed with bcryptjs (cost factor 12+). Session cookies use httpOnly, Secure, and SameSite flags.
Workspace data isolation
Every database query is scoped to the workspace level. Cross-workspace data access is impossible by design. Prisma middleware enforces scoping as a safety net β unscoped queries throw errors in development.
Immutable audit logging
Every security-relevant action is logged: data exports, deletions, API key operations, role changes, member management. Audit logs contain only resource IDs and action types β never content or PII.
Data retention policies
Concrete retention periods: 30 days for sessions, 48 hours for GDPR exports, 90 days for payment events. Automated cleanup via daily and weekly cron jobs. No indefinite data hoarding.
Data minimization
IP addresses stored as country only. Error reports PII-scrubbed before transmission to Sentry. AI prompts minimized β no emails, names, or payment data sent to Anthropic. Survey respondents anonymous by default.
Transparent sub-processor management.
We work with 7 sub-processors, each with a Data Processing Agreement in place. All sub-processors, their data scope, and storage locations are documented in our Privacy Policy. An up-to-date sub-processor list is available on request.
FOR YOUR CUSTOMERS
Help your customers trust you.
Anonymous survey respondents
Survey respondents are anonymous by default β identified only by a random response code. No IP addresses stored on response sessions. You control which additional data to collect.
Community member privacy
Community members authenticate via magic link or password. Hard delete on member removal β all associated data permanently removed. No ghost data left behind.
Data Processing Agreement
We provide a DPA for business customers, covering our role as data processor under Art. 28 GDPR. Available on request at [email protected].
Questions about GDPR compliance?
We're happy to discuss our compliance approach, provide our DPA, or walk through specific requirements for your organization.
FAQ